Building a WHMCS Billing System for Nigerian Naira — Complete Setup Guide

XclusiveCLoud — Sun, 24 May 2026 10:17:39 +0000

WHMCS is the industry-standard billing and client management platform for web hosting
companies. If you're building a hosting business in Nigeria, here's exactly how to
configure WHMCS for Nigerian Naira billing with Paystack.

This is the exact setup we use at XclusiveCloud (xclusivecloud.com).

## Prerequisites

- WHMCS license (start with a Starter license at ~$15.95/month)
- cPanel/WHM hosting environment
- Paystack business account (verified with CAC documents)
- Your domain (e.g., xclusivecloud.com)

## Step 1: Install WHMCS

Upload WHMCS to your server root and run the installer:

bash
cd /home/username/public_html
unzip whmcs.zip
php install/install.php


During setup, configure:
- MySQL database credentials
- Admin username and password
- License key from whmcs.com

## Step 2: Configure Nigerian Naira Currency

In WHMCS Admin → Setup → Currencies:

1. Delete or deactivate USD as the default
2. Add Nigerian Naira:
   - Currency: Nigerian Naira
   - Code: NGN
   - Prefix: ₦
   - Suffix: (leave blank)
   - Rate: 1.00 (set NGN as the base currency)
3. Set NGN as the **default currency**

## Step 3: Install Paystack Payment Module

Download the WHMCS Paystack module from:
https://github.com/PaystackHQ/paystack-whmcs

Upload to `/modules/gateways/` and activate in:
WHMCS Admin → Setup → Payment Gateways → Paystack

Enter your Paystack Live Secret Key and Public Key from your Paystack dashboard.

## Step 4: Configure Paystack Webhook

In your Paystack dashboard → Settings → API Keys & Webhooks:

Set webhook URL to:https://yourdomain.com/modules/gateways/callback/paystack.php

plaintext

This allows automatic invoice payment confirmation.

## Step 5: Create Nigerian Hosting Products

In WHMCS → Setup → Products/Services → Create Product:

Example: Shared Hosting - Basic
- Price: ₦3,000/month, ₦30,000/year
- Module: cPanel
- Welcome email: include cPanel login details

## Step 6: Configure Nigerian Tax (VAT)

Nigeria has 7.5% VAT. In WHMCS → Setup → Tax Rules:

- Tax name: VAT
- Rate: 7.5%
- Apply to: All taxable products

## Useful Customisations for Nigerian Market

php
// In /includes/hooks.php — add Naira formatting
add_hook('ClientAreaProductDetails', 1, function($vars) {
// Custom naira price display
});


Full guide and WHMCS config files at: xclusivecloud.com/blog/whmcs-nigeria-naira-setup

How to Harden a cPanel/WHM Server Against Common Attacks (Nigerian Hosting Guide)

XclusiveCLoud — Sun, 24 May 2026 10:14:43 +0000

As someone who runs a web hosting company in Nigeria (XclusiveCloud — xclusivecloud.com)
and is doing postgraduate research in Cyber Threat Intelligence, server security isn't
theoretical for me — it's something I implement and maintain daily.

Here's a practical hardening checklist for cPanel/WHM servers, based on what actually
works in Nigerian hosting environments.

## 1. Enable and Configure CSF (ConfigServer Security & Firewall)

CSF is the go-to firewall for cPanel servers. Install it:

bash
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh


Critical CSF settings to change in `/etc/csf/csf.conf`:

properties
TESTING = "0" # Disable test mode
LF_SSHD = "5" # Block IP after 5 failed SSH attempts
LF_CPANEL = "10" # Block after 10 failed cPanel logins
CT_LIMIT = "100" # Max connections per IP

## 2. Restrict SSH Access

Never leave SSH open to the world. In `/etc/ssh/sshd_config`:

ssh
Port 2222 # Change from default 22
PermitRootLogin no # Disable root SSH login
PasswordAuthentication no # Use key-based auth only
MaxAuthTries 3

Generate and use SSH keys instead of passwords:

bash
ssh-keygen -t ed25519 -C "xclusivecloud-server"


## 3. Install ModSecurity WAF

In WHM → ModSecurity Tools, enable ModSecurity and install OWASP CRS rules:

bash
/scripts/modsec_vendor_install


This blocks common web attacks: SQL injection, XSS, remote file inclusion, and directory
traversal — all of which are common targets for Nigerian websites.

## 4. Enable cPGuard (Malware Scanner)

cPGuard integrates directly into cPanel and scans for malware across all hosted accounts.
Enable it in WHM → cPGuard Malware Scanner.

Set up automated daily scans and email alerts to: alert@yourdomain.com

## 5. Force HTTPS for All Hosted Sites

In WHM → Apache Configuration, ensure all cPanel accounts redirect HTTP → HTTPS:

In each user's cPanel → .htaccess:

apache
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


## 6. Configure Automated Backups

In WHM → Backup Configuration:
- Enable: Yes
- Backup type: Compressed
- Daily backups: Retain 7 days
- Weekly backups: Retain 4 weeks
- Backup destination: Remote (S3 or Backblaze B2)

Never store backups only on the same server. One ransomware attack will encrypt both.

## 7. Disable Unused PHP Versions and Functions

In WHM → PHP Configuration:
- Only enable PHP versions your clients actually use (typically 8.1, 8.2)
- Disable dangerous functions in php.ini:

ini
disable_functions = exec, passthru, shell_exec, system, proc_open, popen

## 8. Enable Two-Factor Authentication on WHM

WHM → Security Center → Two-Factor Authentication

This is mandatory. cPanel credentials are a primary target in credential stuffing attacks.

## 9. Monitor Login Attempts with LFD

CSF's Login Failure Daemon (LFD) monitors and blocks brute-force attacks. Configure
alerts to your email in csf.conf:

properties
LF_ALERT_TO = "security@xclusivecloud.com"
LF_ALERT_FROM = "csf@yourserver.com"

## 10. Regular Security Audits

Monthly checklist:
- [ ] Run `rkhunter --check` to detect rootkits
- [ ] Review CSF block list for persistent attackers
- [ ] Check for accounts with weak passwords (WHM → Password Strength)
- [ ] Review error logs in `/usr/local/cpanel/logs/`
- [ ] Verify all SSL certificates are valid and auto-renewing

---

If you're running a Nigerian hosting business or self-hosting your own cPanel server,
implementing all of the above should be your first priority before onboarding clients.

I cover server security in more depth on the XclusiveCloud blog at xclusivecloud.com/blog —
including guides specific to Nigerian hosting environments.

What security measures are you running on your servers? Happy to discuss in the comments.

DEV Community: XclusiveCloud

Building a WHMCS Billing System for Nigerian Naira — Complete Setup Guide

How to Harden a cPanel/WHM Server Against Common Attacks (Nigerian Hosting Guide)